Suspicious X509Enrollment - Ps Script
Detect use of X509Enrollment
Sigma rule (View on GitHub)
1title: Suspicious X509Enrollment - Ps Script
2id: 504d63cb-0dba-4d02-8531-e72981aace2c
3related:
4 - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
5 type: similar
6status: test
7description: Detect use of X509Enrollment
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
10 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
11 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
12author: frack113
13date: 2022-12-23
14tags:
15 - attack.defense-evasion
16 - attack.t1553.004
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains:
24 - 'X509Enrollment.CBinaryConverter'
25 - '884e2002-217d-11da-b2a4-000e7bbb2b09'
26 condition: selection
27falsepositives:
28 - Legitimate administrative script
29level: medium
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More -
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More -
Learn more about the Microsoft.Hpc.Scheduler.Store.CX509EnrollmentWebClassFactoryClass in the Microsoft.Hpc.Scheduler.Store namespace.
Read More
Related rules
- Cisco Crypto Commands
- Install Root Certificate
- New Root Certificate Installed Via CertMgr.EXE
- New Root Certificate Installed Via Certutil.EXE
- Root Certificate Installed - PowerShell